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Abstract 



o 

<N 

We consider the problem of fixed-polynomial lower bounds on the size of arithmetic 
circuits computing uniform families of polynomials. Assuming the Generalised Riemann 
pg \ Hypothesis (GRH), we show that for all k, there exist polynomials with coefficients in 

MA having no arithmetic circuits of size 0(n k ) over C (allowing any complex constant). 
We also build a family of polynomials that can be evaluated in AM having no arithmetic 
circuits of size 0(n k ). Then we investigate the link between fixed-polynomial size circuit 
bounds in the Boolean and arithmetic settings. In characteristic zero, it is proved that 
NP <f_ size(n ), or MA C size(n fe ), or NP = MA imply lower bounds on the circuit size of 



Y\ uniform polynomials in n variables from the class VNP over C, assuming GRH. In positive 

characteristic p, uniform polynomials in VNP have circuits of fixed-polynomial size if and 
only if both VP = VNP over F p and Mod p P has circuits of fixed-polynomial size. 

> 

1 Introduction 

On 

I/"") ■ Baur and Strassen |3j proved in 1983 that the number of arithmetic operations needed to 

■<^j- | compute the polynomials x™ + . . . + x™ is O(nlogn). This is still the best lower bound on 

uniform polynomials on n variables and of degree n '^ , if uniformity means having circuits 
computed in polynomial time. 

If no uniformity condition is required, lower bounds for polynomials have been known since 
Lipton [13] . For example, Schnorr [18] , improving on [13] and Strassen [20] . showed for any k 
a lower bound Q(n ) on the complexity of a family (P n ) of univariate polynomials of degree 
polynomial in n — even allowing arbitrary complex constants in the circuits. The starting 
point of Schnorr's method is to remark that the coefficients of a polynomial computed by a 
circuit using constants a = (ai , . . . , a p ) is given by a polynomial mapping in a. Hence, finding 
hard polynomials reduces to finding a point outside the image of the mapping associated to 
some circuit which is universal for a given size. This method has been studied and extended 
by Raz [IB]. 

In the Boolean setting, this kind of fixed-polynomial lower bounds has already drawn a 
lot of attention, from Kannan's result [TU] proving that for all k, __2 does not have circuits 
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of size n k , to [5j, delineating the frontier of Boolean classes which are known to have fixed- 
polynomial size circuits lower bounds. It might seem easy to prove similar lower bounds in 
the algebraic world, but the fact that arbitrary constants from the underlying field (e.g. C) 
are allowed prevents from readily adapting Boolean techniques. 

Different notions of uniformity can be thought of, either in terms of the circuits computing 
the polynomials, or in terms of the complexity of computing the coefficients. For instance, 
an inspection of the proof of Schnorr's result mentioned above shows that the coefficients 
of the polynomials can be computed in exponential time. But this complexity is generally 
considered too high to qualify these polynomials as uniform. 

The first problem we tackle is the existence of hard polynomials (i.e. without small circuits 
over C) but with coefficients that are "easy to compute" . The search for a uniform family of 
polynomials with no circuits of size n k was pursued recently by Jansen and Santhanam [8]. 
They show in particular that there exist polynomials with coefficients in MA (thus, uniform 
in some sense) but not computable by arithmetic circuits of size n over Zjj Assuming 
the Generalised Riemann Hypothesis (GRH), we extend their result to the case of circuits 
over the complex field. GRH is used to eliminate the complex constants in the circuits, by 
considering solutions over ¥ p of systems of polynomial equations, for a small prime p, instead 
of solutions over C. In fact, the family of polynomials built by Jansen and Santhanam is also 
uniform in the following way: it can be evaluated at integer points in MA. Along this line, we 
obtain families of polynomials without arithmetic circuits of size n over C and that can be 
evaluated in AM. The arbitrary complex constants prevents us to readily adapt Jansen and 
Santhanam's method and we need to use in addition the AM protocol of Koiran |11| in order 
to decide whether a system of polynomial equations has a solution over C 

Another interesting and robust notion of uniformity is provided by Valiant's algebraic 
class VNP, capturing the complexity of the permanent. The usual definition is non-uniform, 
but a natural uniformity condition can be required and gives two equivalent characterisations: 
in terms of the uniformity of circuits and in terms of the complexity of the coefficients. This is 
one of the notions we shall study in this paper and which is also used by Raz [16] (where the 
term explicit is used to denote uniform families of VNP polynomials). The second problem we 
study is therefore to give an Q(n k ) lower bound on the complexity of an n-variate polynomial 
in the uniform version of the class VNP. Note that from Valiant's criterion, it corresponds to 
the coefficients being in GapP, so it is a special case of coefficients that are easy to compute. 
Even though MA may seem a small class in comparison with GapP (in particular due to Toda's 
theorem PH C P* p ), the result obtained above does not yield lower bounds for the uniform 
version of VNP. 

We show how fixed-polynomial circuit size lower bound on uniform VNP is connected to 
various questions in Boolean complexity. For instance, the hypothesis that NP does not have 
circuits of size n for all k, or the hypothesis that MA has circuits of size n for some k, 
both imply the lower bound on the uniform version of VNP assuming GRH. Concerning the 
question on finite fields, we show an equivalence between lower bounds on uniform VNP and 
standard problems in Boolean and algebraic complexity. 

The paper is organised as follows. Definitions, in particular of the uniform versions of 
Valiant's classes, are given in Section [2j Hard families of polynomials with easy to compute 
coefficients, or that are easy to evaluate, are built in Section [3l Finally, conditional lower 



1 Even though this result is not stated explicitly in their paper, it is immediate to adapt their proof to our 
context. 



bounds on uniform VNP are presented in the last section. 

2 Preliminaries 

Arithmetic circuits 

An arithmetic circuit over a field K is a directed acyclic graph whose vertices have indegree 
or 2 and where a single vertex (called the output) has outdegree 0. Vertices of indegree 
are called inputs and are labelled either by a variable Xi or by a constant a G K. Vertices of 
indegree 2 are called gates and are labelled by + or x . 

The polynomial computed by a vertex is defined recursively as follows: the polynomial 
computed by an input is its label; a + gate (resp. x gate), having incoming edges from 
vertices computing the polynomials / and g, computes the polynomial f + g (resp. fg). The 
polynomial computed by a circuit is the polynomial computed by its output gate. 

A circuit is called constant-free if the only constant appearing at the inputs is —1. The 
formal degree of a circuit is defined by induction in the following way: the formal degree of a 
leaf is 1, and the formal degree of a sum (resp. product) is the maximum (resp. sum) of the 
formal degree of the incoming subtrees (thus constants "count as variables" and there is no 
possibility of cancellation). 

We are interested in sequences of arithmetic circuits (C n ) n£ N, computing sequences of 
polynomials (P n ) ne N (we shall usually drop the subscript "n G N"). 

Definition 1. Let K be a field. If s : N — > N is a function, a family (P n ) of polynomials over 
K is in asize^(s(n)) if it is computed by a family of arithmetic circuits of size 0(s(n)) over 
K. 

Similarly, size(s(n)) denotes the set of (Boolean) languages decided by Boolean circuits of 
size 0(s(n)). 

Counting classes 

A function / : {0, 1}* — > N is in #P if there exists a polynomial p{n) and a language A G P 
such that for all x G {0, 1}* 

f(x) = \{y€{0,l} pQx]) , (x,y)eA}\. 

A function g : {0,1}* — > 7L is in GapP if there exist two functions /, /' G #P such that 

g = f — f . The class C = P is the set of languages A = {x, g(x) = 0} for some function 

g G GapP. The class ©P is the set of languages A = {x, f(x) is odd} for some function 
/ G #P. We refer the reader to [B] for more details on counting classes. 

Valiant's classes and their uniform counterpart 

Let us first recall the usual definition of Valiant's classes. 

Definition 2 (Valiant's classes). Let K be a field. A family (P n ) of polynomials over K is in 
the class VP^- if the degree of P n is polynomial in n and (P n ) is computed by a family (C n ) 
of polynomial- size arithmetic circuits over K. 



A family (Q n (x)) of polynomials over K is in the class VNP^ if there exists a family 
(P n (x,y)) € VPr such that 

Qn{x)= Yl P n (x,y). 
ye{o,i}M 

The size of x and y is limited by the circuits for P n and is therefore polynomial. Note 
that the only difference between VPk and asizeA'(poly) is the constraint on the degree of P n . 
If the underlying field K is clear, we shall drop the subscript U K" and speak only of VP and 
VNP. Based on these usual definitions, we now define uniform versions of Valiant's classes. 

Definition 3 (Uniform Valiant's classes). Let K be a field. A family of circuits (C n ) is called 
uniform if the (usual, Boolean) encoding of C n can be computed in time n ^' . A family of 
polynomials (P n ) over K is in the class unif-VPj<- if it is computed by a uniform family of 
constant-free arithmetic circuits of polynomial formal degree. 

A family of polynomials (Q n (%)) over K is in the class unif-VNP^ if Q n has n variables 
x = xi, ■ ■ ■ , x n and there exists a family (P n (x, y)) £ unif-VP^- such that 

Qn{x)= ^ P n( x ,V)- 

ye{o,i}\y\ 

The uniformity condition implies that the size of the circuit C n in the definition of unif-VP 
is polynomial in n. Note that unif-VP^ and unif-VNP^; only depend on the characteristic 
of the field K (indeed, since no constant from K is allowed in the circuits, these classes are 
equal to the ones defined over the prime subfield of K) . 

In the definition of unif-VNP, we have chosen to impose that Q n has n variables because 
this enables us to give a very succinct and clear statement of our questions. This is not what 
is done in the usual non-uniform definition where the number of variables is only limited by 
the (polynomial) size of the circuit. 

The well-known "Valiant's criterion" is easily adapted to the uniform case in order to 
obtain the following alternative characterisation of unif-VNP. 

Proposition 1 (Valiant's criterion). In characteristic zero, a family (P n ) is in unif-VNP iff 
P n has n variables, a polynomial degree and its coefficients are computable in GapP; that is, 
the function mapping (ci, . . . , c n ) to the coefficient of X^ 1 ■ ■ ■ X^ n in P n is in GapP. 
The same holds in characteristic p > with coefficients in "GapP mod p'lj. 

Over a field K, a polynomial P{x\, . . . ,x n ) is said to be a projection of a polynomial 
Q(yi,--- ,Um) if P(xi,... ,x n ) = Q(a 1 ,...,a m ) for some choice of ai,...,a m G {x 1} ...,x n }U 
K. A family (P n ) reduces to (Q n ) (via projections) if P n is a projection of Qq( n ) for some 
polynomially bounded function q. 

The Hamiltonian Circuit polynomials are defined by 

n 

"■*~"n.\%l,li ■ ■ ■ j %n,n) = / J_ J_ 3'i,cr(j) > 

a i=l 

where the sum is on all cycles a £ S n (i.e. on all the Hamiltonian cycles of the complete 
graph over {1, . . . ,n}). The family (HC n ) is known to be VNP-complete over any field [21] 
(for projections). 



2 This is equivalent to the fact that for all v € F p , the set of monomials having coefficient v is in Mod p P. 



Elimination of complex constants in circuits 

The weight of a polynomial P G C[X\, . . . ,X n ] is the sum of the absolute values of its 
coefficients. We denote it by w(P). It is well known that wis a norm of algebra, that is: for 
P,Q G C[Xi,...,X n ] and a G C, it holds that oj(PQ) ^ uj(P)oj(Q), oj(P + Q) ^u(P)+u(Q) 
and w(qP) = |a|w(P). 

The following result gives a bound on the weight of a polynomial computed by a circuit. 

Lemma 1. Let P be a polynomial computed by an arithmetic circuit of size s and formal 
degree d with constants of absolute value bounded by M ^ 2, then w(P) ^ M . 

Proof. We prove it by induction on the structure of the circuit C which computes P. The 
inequality is clear if the output of C is a constant or a variable since uj{P) ^ M, s ^ 1 and 
d ^ 1 in this case. If the output of P is a + gate then P is the sum of the value of two 
polynomials Pi and P 2 calculated by subcircuits of C of formal degree at most d and size 
at most s — 1. By induction hypothesis, we have w(Pi) ^ M d( - S ~^ and w(Pi) ^ M^ s_1 \ 
We have w(P) ^ w(Pi) + w(P 2 ) so w(P) ^ 2 • M^" -1 ) ^ Af^" 1 ^ 1 sC M ds . If the output 
of C in a x gate, P is the product some polynomials P\ and P2 each calculated by circuits 
of size at most s — 1 and degrees d\ and <i2 respectively such that d\ + c?2 = cL Then 
w(P) ^ w(Pi)w(P 2 ) ^ M^^M^- 1 ^ 2 = M( s ~ 1 ) d ^ M sd . D 

For a G N, we denote by vr(a) the number of prime numbers smaller than or equal to 
a. For a system S of polynomial equations with integer coefficients, we denote by vrs(a) the 
number of prime numbers p ^ a such that S* has a solution over F p . The following lemma will 
be useful for eliminating constants from C. (Note that the similar but weaker statement first 
shown by Koiran [11] as a step in his proof of Theorem SI would be enough for our purpose.) 

Lemma 2 (Biirgisser [U p. 64]). Let S be a system of polynomial equations 

P 1 (x) = 0,...,P m (x) = 

with coefficients in Z and with the following parameters : n unknowns, and for all i, degree 
of Pi at most d and ui(Pi) ^ w. If the system S has a solution over C then under GRH, 

7r(a) /— 
^W ^ ^Oinj ~ valog(wa). 

At last, we need a consequence of VNP having small arithmetic circuits over the complex 
field. 

Lemma 3. Assume GRH. 7/VP = VNP over C, then CH = MA. 

Proof. Assume VP = VNP over C. From the work on Boolean parts of Valiant's classes [H 
Chapter 4], this implies P/poly = PP/poly = CH/poly, therefore MA = CH [H]. □ 

3 Hard polynomials with coefficients in MA 

We begin with lower bounds on polynomials with coefficients in PH before bringing them 
down to MA. 



Hard polynomials with coefficients in PH 

We first need to recall a couple of results. The first one is an upper bound on the complexity 
of the following problem called HN: 

Input A system S = {P\ = 0, . . . , P m = 0} of n-variate polynomial equations with integer 
coefficients, each polynomial Pi £ Z[xi, . . . , x n ] being given as a constant-free arithmetic 
circuit. 

Question Does the system S have a solution over C n ? 

Theorem 4 (Koiran [1 1J ) . Assuming GRH is true, HN G PH. 

Koiran's result is stated here for polynomials given by arithmetic circuits, instead of the 
list of their coefficients. Adapting the result of the original paper in terms of arithmetic 
circuits is not difficult: it is enough to add one equation per gate expressing the operation 
made by the gate, thus simulating the whole circuit. 

The second result is used in the proof of Schnorr's result mentioned in the introduction. 

Lemma 4 (Schnorr |18|). Let (U n ) be the family of polynomials defined inductively as follows : 

<2q + 6q x where Oq , b and x are new variables 
Sr=i a i n Ui ) (!Cr=i "■> i Ui) where of ,b\ n are new variables. 

Thus U n has variables x, of and of (for 1 ^ j ^ n and ^ i < j). For simplicity, we will 
write U n (a,b,x), where the total number of variables in the tuples a,b is n{n+ 1). 

For every univariate polynomial P(x) over C computed by an arithmetic circuit of size s, 
there are constants a,b € C s ^ s+1 ^ such that P(x) = U s (a,b,x). 

The polynomials U s in this lemma are universal in the sense that they can simulate any 
circuit of size s; the definition of such a polynomial indeed reproduces the structure of an 
arbitrary circuit by letting at each gate the choice of the inputs and of the operation, thanks 
to new variables. 

The third result we'll need is due to Hrubes and Yehudayoff [7] and relies on Bezout's 
Theorem. Showing Theorem [5] could also be done without using algebraic geometry, but this 
would complicate the overall proof. 

Lemma 5 (Hrubes and Yehudayoff [7]). Let F : C n — > C m be a polynomial map of degree 
d > 0, that is, F = (F\, . . . , F m ) where each Fi is a polynomial of degree at most d. Then 
|F(C n )n{0,l} m | ^ {2d) n . 

We are now ready to give our theorem. 

Theorem 5. Assume GRH is true. For any constant k, there is a family (P n ) of univariate 
polynomials with coefficients in {0, 1} satisfying: 

• deg(P n ) = n ^ 1 ' (polynomial degree); 

• the coefficients of P n are computable in PH, that is, on input (l n ,i) we can decide in 
PH if the coefficient of x l is 1; 

• (P n ) is not computed by arithmetic circuits over C of size n . 



(s) 

circuits of size s. If a) denotes the coefficient of x l in £/,, then we have the relation 



Proof. Fix s = n k . Consider the universal polynomial U s (a,b,x) of Lemma d] simulating 

s the coefficient of x % in U s , the 

«I S) = E «M sl) «i S2) - 



i 1 +i 2 =i 
s 1 ,s 2 <s 



By induction, the coefficient a\ is therefore a polynomial in a, b of degree ^ (i + 1)2 . 

Now, we would like to find a polynomial whose coefficients are different from the a\ for 
any value of a, b. This will be done thanks to Lemma but we have to use it in a clever way 
because our method requires to use interpolation on d + 1 points to identify two polynomials 
of degree d: hence we need to "truncate" the polynomial U s to degree d. 

Fix d = s 4 . It follows from the beginning of the proof that the map computing the first 
(d+1) coefficients of U s 

p . c s ( s+1 ) -»■ C d+1 

(a,b) ^ (a { s \...,a { d s) ) 

is a polynomial map of degree at most (d + l)2 2s . Since ((d + l)2 2s ) s ( s+1 ) < 2 d+1 , by Lemma[5] 
there exist coefficients (/?o, ■ • • ,/?d) £ {0, l} d+1 not in _F(C S ' S+1 )). In other words, for any 
values of a, b in C, the first (d + 1) coefficients of U s differ from (/3o, . . . , (3d)- 

Let Pp(x) be the polynomial X^o*^ 3 ^ an< ^ ^ us ca ^ ^s| d the truncation of U s up to 
degree d, that is, the sum of all the monomials of degree Sj d in x. For any instantiation of a, b 
in C, we have U s \ d {a, b, x) ^ Pp{x). Since both polynomials are of degree smaller than or equal 
to d, this means that there exists an integer m 6 {0, . . . , d} such that U s \ d (a, b, m) ^ Pp(m). 
Therefore the following system of polynomial equations with unknowns a, b: 

Sp = {U s \ d (a,b,m) = Pp{m) : m e {0, . . . ,d}} 

has no solution over C. 

Conversely, consider now this system for other coefficients than /?, that is, S* 7 for 70, • • • , 7d £ 
{0, 1}. If 5 7 does not have a solution over C, this means that for any instantiation of a, b € C 
we have L^ s i d (a, b, x) 7^ P 7 (x), hence P 7 is not computable by a circuit of size s by Lemma [H 

The goal now is then to find values of 7 G {0, 1} +1 such that SL does not have a solution 
over C. 

Remark first that on input 70, • • • ,7d £ {0, 1} and m £ {0, . . . ,d}, we can describe in 
polynomial time a circuit Cy tm (a, b) computing the polynomial J7 a i d (o, b, m) — P^(m). Indeed, 
U s is computable by an easily described circuit following its definition, hence its truncation 
to degree d also is, and a circuit for P 7 is also immediate if we are given 7. Therefore, we can 
describe in polynomial time the system S~, to be used in Theorem [H 

The algorithm in PH to compute the coefficients of a polynomial Pp without circuits of 
size s is then the following on input (l n ,i): 

• Find the lexicographically first 7o ; • • • ,7d £ {0, 1} such that 5 7 HN; 

• accept iff 7j = 1. 

This algorithm is in PH . By Theorem [H if we assume GRH then the problem HN is in 
PH. We deduce that computing the coefficients of P 7 can be done in PH. □ 



Hard polynomials with coefficients in MA 

Allowing n variables instead of only one, we can even obtain lower bounds for polynomials 
with coefficients in MA. 

Corollary 1. Assume GRH is true. For any constant k, there is a family (P n ) of polynomials 
on n variables, with coefficients in {0, 1}, of degree n ' ', with coefficients computable in MA, 
and such that (P n ) asizec(n ). 

Proof. If the Hamiltonian family (HC n ) does not have circuits of polynomial size over C, 
consider the following variant of a family with n variables: HC^(xi , . . . , x n ) = HC i /^i (xi , . . . , 
x \Jn\ 2 )- This is a family whose coefficients are in P (hence in MA) and without circuits of 
size n k . 

On the other hand, if the Hamiltonian family (HC n ) has circuits of polynomial size over 
C, then PH = MA by Lemma El Therefore the family of polynomials of Theorem [5] has its 
coefficients in MA. □ 

Hard polynomials that can be evaluated in AM 

A family of polynomials (P n (xi, . . . , x n )) is said to be evaluable in AM if the language 

{(xi, . . . ,x n ,i,b) | the i-th bit of P n (x\, . . . ,x n ) is 6} 

is in AM, where x\, . . . ,x n ,i are integers given in binary and b £ {0, 1}. In the next propo- 
sition, we show how to obtain polynomials which can be evaluated in AM. The method is 
based on Santhanam [T7j and Koiran |12] . 

Proposition 2. Assume GRH is true. For any constant k, there is a family (P n ) of poly- 
nomials on n variables, with coefficients in {0, 1}, of degree n "' , evaluable in AM and such 
that (P n ) g" asize<c(n fe ). 



Proof. We adapt the method of Santhanam [T7] to the case of circuits with complex constants. 

If the permanent has polynomial-size circuits over C, then PH = MA by Lemma [3] and 
hence the family of polynomials of Theorem [5] is evaluable in MA C AM. 

Otherwise, call s(n) the minimal size of a circuit over C for per n . The n-tuple of variables 
(xi, . . . ,x n ) is split in two parts (y, z) in the unique way satisfying < \y\ ^ \z\ and \z\ a 
power of two. Remark therefore that \y\ can take all the values from 1 to \z\ depending on n. 
We now define the polynomial P n (y, z): 

{P n (y, z) = per(y) if \y\ is a square and s{y/\y\) ^ n 2k 
P n (y,z) = otherwise. 

Let us first show that (P n ) does not have circuits of size n k . By hypothesis there exist 
infinitely many n such that s(n) > (3n 2 ) 2k : let no be one of them and take m the least power 
of two such that s(no) ^ {m+nfy 2k , which implies m ^ 2?t-q. Let n\ = m-\-n^\ by definition of 
(P n ), we have P ni (y,z) = pei no (y). By definition of m, s(no) > (m/2+nQ) 2k > (n\j2) 2k > n\. 
This means that per no , and hence P ni , does not have circuits of size n\. 

We now show that (P n ) can be evaluated in AM. We give an AM A protocol which is 
enough since AM A = AM (see pj). 



The protocol described below heavily relies on the technique used in |12| Theorem 2] to 
prove that HN e AM. 

In the following, we need to test if per t (for some t) has an arithmetic circuit of size s over 
the complex field. If this is true, Merlin can give the skeleton of the circuit but he cannot give 
the complex constants. Hence, he gives a circuit C(y, u) where y is the input (of size t x t) 
and u a tuple of formal variables. Consider the following system S : for all e 6 {0, . . . , 2 s }l y l, 
take the equation C(e,u) = per t (e). For some values a £ 0"', the degree of the polynomial 
computed by the circuit C(y, a) is at most 2 s ; hence, the system S is satisfiable over C iff the 
variables u can be replaced by complex numbers a such that C(y, a) computes the permanent 
over the complex field. 

The system S has the following parameters: the number of variables is \u\ which is at most 
s, the degree of each equation is bounded by 2 s , the number of equations is 2°( s ' and the 
bitsize of each coefficient is 2 s . Hence, by \1'2\ Theorem 1], there is an integer m = s ^ 1 ' 
and xq = 2 s such that the following holds. Let E be the set of primes p smaller than xq 
such that S has a solution modulo p. 

• If S is not satisfiable over C, then \E\ ^ 2 m ~ 2 ; 

• If S is satisfiable over C, then \E\ ^ m2 m . 

Testing if \E\ is large or small is done via the following probabilistic argument. For some 
matrices Aj over F2, the predicate (j>{A\, . . . ,A m ) is defined as 

3p ,pi,...,p m £ E : t(;(Ai,...,A m ,po,...,p m ) 

where 

m 

ip(Ai, ..., A m ,p , . . . ,p m ) = f\ (Ajp = AjPj A po / pj) . 

i=i 
If Aj are seen as hashing functions, the predicate 4> above expresses that there are enough 
collisions between elements of E. Based on [19] . it is proved in [12] that if \E\ ^ 2" 1-2 , 
the probability that (f>(A% , . . . , A m ) holds is at most 1/2 when the matrices Aj are chosen 
uniformly at random, whereas it is 1 when \E\ ^ m2 m . 

We are now ready to explain the AM A protocol to evaluate the family (P n )- On input 
(xi, . . . , x n ,i, b), the AMA protocol is the following: 

• Arthur splits (x%, . . . ,x n ) in (y,z) in the unique way. If \y\ is not a square, he accepts 
if b = and rejects if b 7^ 0. Otherwise, call t = v/|y|; Arthur sends to Merlin random 
matrices A±, . . . , A m over ¥2- 

• Merlin sends to Arthur the skeleton C(y, u) of a circuit of size ^ n 2k supposedly com- 
puting pei t over C (that is, the circuit with complex constants replaced with formal 
variables u). He also sends prime integers po, ■ ■ ■ ,Pm together with constants a Pj G FJ," 
for C, for all ^ j ^ m. He also sends a prime number p ^ n\M n (where M is the 
largest value in (xi, ■ ■ ■ , x n )) and constants of a p over ¥ p for C. 

• Arthur checks that pq, . . . ,p m produce a collision (that is, that tp(Ai, . . . , A m ,po, . . . ,p m ) 
is true). Then he checks that all pj and p are primes and that the circuits C(y,a p ) 
and C(y, a p ) compute the permanent modulo po, . . . ,p m ,p (using the coRP algorithm 
of [H]). If any of these tests fails, Arthur accepts iff b = 0. Otherwise, he computes 
C{y, a p ) and accepts iff its i-ih bit is equal to b. 



If (y,z) is such that \y\ is a square and s(\y\) ^ n 2k , then P n (y,z) = per(y). We show 
that Merlin can convince Arthur with probability 1. Merlin sends a correct skeleton C: since 
\E\ ^ m2 m , there are prime integers po,...,p m G E 1 such that ip(Ai, . . . ,A m ,po, . . . ,p m ) 
holds. Merlin sends such numbers pj and p together with the correct constants for the circuit 
C to compute the permanent modulo pj and p. In the third round, all the verifications are 
satisfied with probability 1 and Arthur gives the right answer. 

On the other hand, if \y\ is not a square then whatever Merlin sends, Arthur accepts 
only if b = 0, which is the right answer. Assume now that s(\y\) > n 2k ; then \E\ ^ 2 m ~ 2 . 
Whatever Merlin sends as prime numbers pj , the probability (over the matrices A) that all pj 
belong to E and produce a collision is at most 1/2. Since the error when testing if pj G E can 
be made as small as we wish (testing if C(y, a Pj ) computes per(y) mod pj is done in coRP), 
the probability that the whole protocol gives the wrong answer in this case is bounded by 
2/3. □ 

4 Conditional lower bounds for uniform VNP 

In characteristic zero 

In this whole section we assume GRH is true. Our main result in this section is that if for all 
k, C=P has no circuits of size n , then the same holds for unif-VNP (in characteristic zero). 
For the clarity of exposition, we first prove the weaker result where the assumption is on the 
class NP instead. 

Lemma 6. // there exists k such that unif-VNP C asizec(n ), then there exists £ such that 
NP C size(r^). 

Proof. Let us assume that unif-VNP C asize<c(n fc ). Let L G NP. There is a polynomial q 
and a polynomial time computable relation <fi : {0, 1}* x {0, 1}* — > {0, 1} such that for all 
x G {0, l} n , x G L if and only if 3y G {0, l}«( n ) <f>{x, y) = 1. 
We define the polynomial P n by 

p n (x 1 ,...,x n )= £ | Yl tfavuflxrii-Xi) 1 -*. 

x6{0,l} n \2/e{0,l}« (n) / *=i 

Note that for x G {0, l} n , P n {x) is the number of elements y in relation with x via (j). By 
Valiant's criterion (Proposition [1]), the family (P n ) belongs to unif-VNP in characteristic 0. 
By hypothesis, there exists a family of arithmetic circuits (C n ) over C computing (P n ), with 
C n of size t = 0(n k ). 

Let a = (ai, . . . , at) be the complex constants used by the circuit. We have P n (X\, . . . , X n ) 
C n (Xi, . . . ,X n ,a). Take one unknown Y- h for each ctj and one additional unknown Z, and 
consider the following system S: 



^lLeLn{o,i} n C n (x,Y)j ■ Z — 1 
[ C n (x, Y) = for all x G {0, l} n \ L. 

Note that introducing one equation for each x G L n {0, l} n (as we did for each x G 
{0, 1}™ \ L) would not work since it would require to introduce an exponential number of new 
variables. 
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Let j3 = i rixeLnio l} n Cn{%, a) ) • Then (a, j3) is a solution of S over C. 
The system S has t + 1 = 0{n k ) unknowns. The degree of C n (x,y) is bounded by 2*; 
hence the degree of S is at most 2°^ n >. Moreover, the weight of the polynomials in S is 

bounded by 2 2 using Lemma [TJ 

Since the system S has the solution (a, (3) over C, by Lemma [2] it has a solution over F p 
for some p small enough. We recall that n(p) ~ p/logp; hence the system S has a solution 
over F p for p = 2°( n2fe ). 

Consider p as above and (o/,/3') a solution of the system S over F p . By definition of S, 
when the circuit C n is evaluated over F p , the following is satisfied: 

fVx GLn{0,l} n , C n {x,a')^0, 
|vxG{0,l} n \L, C n (x,a') = 0. 

Computations over F p can be simulated by Boolean circuits, using log 2 p bits to represent an 
element of F p , and 0(log p) gates to simulate an arithmetic operation. This yields Boolean 
circuits of size n e for £ = O(k) to decide the language L. □ 

Theorem 6. Assume GRH is true. Suppose one of the following conditions holds: 

1. NP <£ size(n fc ) for all k; 

2. C=P <£_ s\ze(n k ) for all k; 

3. MA C size(n fc ) for some k; 

4. NP = MA. 

Then unif-VNP (£_ asizec(n fe ) for all k. 

Proof. The first point is proved in Lemma [6j 

The second point subsumes the first since coNP C C=P. It can be proved in a very similar 
way. Indeed consider L & C=P and / G GapP such that x £ L ^=>- f(x) = 0, and its 
associated family of polynomials 

n 

p n (x 1 ,...,x n )= Yl mnxpii-Xi) 1 -* 

xe{o,i}" «=i 

as in the proof of Lemma [6J Then for all x £ {0, l} n , P n {x) = iff x E L. The family (P n ) 
belongs to unif-VNP and thus, assuming unif-VNP C asizec(n fc ), has arithmetic circuits (C n ) 
over C of size t = 0(n ). Constants of C are replaced with elements of a small finite field by 
considering the system: 

f C n (x, Y)=0 for all x G L D {0, l} n 

W.x&{0,l} n \L^ri{x,Y)j ■ Z = 1. 

The end of the proof is similar. 

For the third point, let us assume unif-VNP C asizec(poly). It implies VP = VNP thanks 
to the VNP-completeness of the uniform family (HC n ), then MA = PP by Lemma This 
implies MA <f_ s\ze(n k ) for all k since PP <f_ size(n fc ) for all k [22]. 
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For the last point, assume NP = MA. If NP is without n k circuits for all k, then the 
conclusion comes from the first point. Otherwise MA has n fc -size circuits and the conclusion 
follows from the previous point. □ 

For any constant c, the class p NP l™ c J is the set of languages decided by a polynomial time 
machine making 0(n c ) calls to an NP oracle. It is proven in [5] that NP C size(n fe ) implies 
pNP[n j £- s j ze ( n cfc ) Hence, it is enough to assume fixed-polynomial lower bounds on this 
larger class p NP I nC ] for some c to get fixed-polynomial lower bounds on unif-VNPc. 

An unconditional lower bound in characteristic zero 

In this part we do not allow arbitrary constants in circuits. We consider instead circuits with 
— 1 as the only scalar that can label the leaves. For s : N — > N, let asizeo(s) be the family 
of polynomials computed by families of unbounded degree constant-free circuits of size O(s) 
(in characteristic zero). Note that the formal degree of these circuits are not polynomially 
bounded: hence, large constants produced by small arithmetic circuits can be used. 

We first need a result of [lj. Let PosCoefSLP be the following problem: on input (C, i) 
where C is a constant-free circuit with one variable x and i is an integer, decide whether the 
coefficient of x % in the polynomial computed by C is positive. 

Lemma T (P-J). PosCoefSLP is in CH. 

Theorem 7. unif-VNP <f_ asizeo(n fc ) for all k. 

Proof. If the permanent family does not have constant-free arithmetic circuits of polynomial 
size, then this family matches the statement. 

Otherwise, CH = MA by Lemma [3l For a given constant-free circuit C computing a 
univariate polynomial P = J2i=o a i xl > its "sign condition" is defined as the series (6j)ieN 
where h G {0, 1}, 6j = 1 iff a« > 0. 

Note that for some constant a, there are at most 2 n different sign conditions of constant- 
free circuits of size n (at most one per circuit). Hence there exists a sign condition 

(&0,... ,b n ck, 0,0, ...) 

such that any polynomial with such a sign condition is not computable by constant-free 
circuits of size n k . We define bo, ■ ■ ■ , b n ak to be the lexicographically first such bits. 

We can express these bits as the first in lexicographic order such that for every constant- 
free circuit C, there exists i such that: 

bi = iff the coefficient of x 1 in C is positive. 

Therefore they can be computed in PH os oe , hence in CH by Lemma hence in MA 
since CH = MA. By reducing the probability of error in the MA protocol, this means that 
there exists a polynomial-time function a : {0, 1}* — > {0, 1} such that: 

(3yJ2 r a(i,y,r)^(l-2-\y\- 1 )N if b € = 1 

\vyEr a ^y> r )^ 2 ~ lyhlN if ^ = o, 
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where y and r are words of polynomial size, and where N = 2' r '. Now, the following polyno- 
mial family: 



Pn(x) = i;((E o ( i >"' r ))- JV / 2 ) ir< 



j=0 v y,r 
is in unif-VNP and has sign condition (60, • • • , b n ak,0, 0, . . . ). □ 

In positive characteristic 

This subsection deals with fixed-polynomial lower bounds in positive characteristic. The 
results are presented in characteristic 2 but they hold in any positive characteristic p (replacing 
0P with ModpP). 

Lemma 8. Consider the polynomial 

P(X 1 ,...,X n ) = Y, C(X 1 ,...,X n ,y 1 ,...,y p ) 

yi,...,y p e{0,l} 

where C is an arithmetic circuit of size s and total degree at most d (with respect to all the 
variables X% . . . , X n ,y\, . . . , y p ). Then P is a projection of HC/ sd \o(i) ■ 

Proof. This lemma follows from a careful inspection of the proof of VNP-completeness of the 
Hamiltonian given in Malod [15]. We give some more details below. 

From the fact that VNP = VNP e [4, Theorem 2.13], we can write P as a Boolean sum of 
formulas, i.e. 

P(X 1 ,...,X n )= J2 F(X 1 ,...,X n ,z 1 ,...,z q ). 
zi,...,z 9 e{o,i} 

Moreover, q = s ' 1 ' and an inspection of the proof of VNP = VNP e given in [15] shows that 
the size of the formula F is (sd) ' '. By [15\ Lemme 8], a formula is a projection of the 
Hamiltonian circuit polynomial of linear size. This yields 

P(Xi, . . . ,X n ) = 2_^ HC s /(ai,... ><v) 
zi,...,z q e{o,l} 

where s' = (sd)°^ 1 ' and <2j G {-Xi, . . . , X n , z\, ■ ■ ■ , z q , —1, 0, 1}. At last, in order to write this 
exponential sum as a projection of a not too large Hamiltonian circuit, a sum gadget of size 
0(q) and O(s') XOR gadgets of size O(l) are needed [151 Theoreme 7]. Hence, the polynomial 
P is a projection of HC/ S(j )0(i) • □ 

Theorem 8. The following are equivalent: 

• unif-VNP]F 2 C asizep 2 (n fc ) for some k; 

• VPf 2 = VNPf 2 and ©P C size(n fe ) for some k. 

Proof. Suppose that unif-VNPp 2 C asizep 2 (n fc ). Then the Hamiltonian polynomials (HC n ) 
has 0(n ) size circuits and thus VP = VNP over F2. Let L £ ©P and the corresponding 
function / £ #P so that 

x £ L <^=^ f{x) is odd. 
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Consider the sequence of polynomials P n £ F2[Xi, . . . , X n ] associated to L: 

n 

p n (x 1 ,...,x n )= y, mnxpii-Xi) 1 -* 

rre{0,l} n i=l 

This family belongs to unif-VNP over F2. Hence, P n has 0(n k ) size circuits. It can be 
simulated by a Boolean circuit of the same size within a constant factor, and yields 0(n ) 
size circuits for L. Hence ©P C size(n fc ). 

For the converse, suppose that ©P C size(n fc ) and VPp 2 = VNPp 2 , and let (P n ) G 
unif-VNPF 2 . We can write 



n 

rrii 



P n (Xi,...,X n ) = ^J <fi(mi,...,rn n ) Y[ x 

rrti,...,m n e{0,...,d} i=l 

where d is a bound on the degree of each variable of P n . Since the coefficients of P n belong 
to ©P, they can be computed by Boolean circuits of size 0(n ) with n = nlogn (by our 
hypothesis on circuits size for ©P languages and the fact that the function (ft takes nlogd 
bits). 

These Boolean circuits can in turn be simulated by (Boolean) sums of arithmetic circuits 
of size and formal degree 0(h ) by the usual method (see e.g. the proof of Valiant's criterion 
m@j). 

Hence we have written P n = ^CrnVK 7 ^)^™! i- e - Pn is a SU1XL over 0(n ) variables in F2 
of an arithmetic circuit ip of size 0(h k ), and the degree of ip is 0(h k ). By Lemma [HI P n 
is a projection of HC fi o(t}- By hypothesis, the uniform family (HC n ) has 0(n k ) arithmetic 
circuits. Hence, (P n ) has arithmetic circuits of size n ' '. D 
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